Not every cloud has a silver lining

How do I know whether a cloud provider will protect my data sufficiently?

We get asked this a lot, and our answer is always that data protection starts at home. Before contacting any provider you need to assess what security level is necessary for the data and applications you want to move to the cloud. Once this is established, you can start worrying about the supplier. Research their security policies, search for independent third-party attestation – and don’t forget to check if you can monitor the security controls and practices. If you do all this, you’ll have a picture of how your data will be protected.

If my cloud provider is Safe Harbour compliant, do I need a EU model contract as well?

Since October 6 2015 you can no longer rely on the Safe Harbour framework for transfers of personal data from the EU to the USA. If you are still using a US cloud provider, our advice is to to verify if your cloud provider has a Privacy Shield certification for the specific transfer at hand. If not, conclude EC model contracts as soon as possible. We can help you make the shift.

My cloud provider won’t accept changes to the contract. Should I just sign?

We would never advise you to ‘just sign’ anything, especially in this case. Moving data to the cloud doesn’t exempt it from legal considerations, nor is an imbalance in contractual power a justification to accept a contract that doesn’t comply with data protection law. The bottom line is that you must have a cloud provider that provides sufficient guarantees. There are several reports and tools available to help you select a suitable provider – just ask us for more details.